Cylance Uncovers SMB Vulnerability That Affects All Windows Versions

On Monday, researchers at the security company Cylance disclosed an existing vulnerability in all versions of Windows, including the yet-to-be-released Windows 10. The vulnerability enables hackers to steal sensitive users’ information.

The Redirect to SMB Vulnerability

“Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password.”

Cylance uncovered the Redirect to SMB (server message block) just now while looking for ways to compromise a chat client feature that provides image previews. However, Redirect to SMB is an extension to the original vulnerability that was first researched by Aaron Spangler in 1997. The original method of attack affected Internet Explorer.

“The premise is simple: trick users into clicking on a link that causes their browser to authenticate with a remote SMB server controlled by an attacker. The result is the attacker obtains the target’s encrypted credentials.”

What’s Affected by Redirect to SMB

According to Brian Wallace, the vulnerability affects:

Various devices and machines: from any Windows PC to tablets and servers

How Redirect to SMB Is Used

According to Brian Wallace, “Redirect to SMB is most likely to be used in targeted attacks by advanced actors because attackers must have control over some component of a victim’s network traffic.” He added, “Malicious ads could also be crafted that would force authentication attempts from IE users while hiding malicious behavior from those displaying the advertising.”